From 4ca9e588b5a8752f0b36f5aec1fc48164265f513 Mon Sep 17 00:00:00 2001 From: orion Date: Thu, 16 Apr 2026 08:54:19 +0000 Subject: [PATCH] security: bind all ports to 127.0.0.1 Docker bypasses ufw and exposes 0.0.0.0-bound ports directly via iptables DNAT rules, even when ufw default policy is deny. Bind every service port to 127.0.0.1 so only nginx (and SSH tunnels for wizard) can reach them from outside. --- docker-compose.yml | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index eed49f5..7884d6c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,7 +2,7 @@ services: backend: image: git.hangman-lab.top/hzhang/hangmanlab-backend:latest ports: - - "$BACKEND_PORT:$BACKEND_PORT" + - "127.0.0.1:$BACKEND_PORT:$BACKEND_PORT" env_file: - .env depends_on: @@ -15,7 +15,7 @@ services: frontend: image: git.hangman-lab.top/hzhang/hangmanlab-frontend:latest ports: - - "$FRONTEND_PORT:80" + - "127.0.0.1:$FRONTEND_PORT:80" env_file: - .env depends_on: @@ -27,7 +27,7 @@ services: image: mysql:8.0 container_name: mysql ports: - - "$DB_PORT:$DB_PORT" + - "127.0.0.1:$DB_PORT:$DB_PORT" environment: MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD} MYSQL_DATABASE: ${DB_NAME} @@ -65,7 +65,7 @@ services: image: git.hangman-lab.top/zhi/harborforge-backend:multi-stage restart: "no" ports: - - "$HF_BACKEND_PORT:8000" + - "127.0.0.1:$HF_BACKEND_PORT:8000" volumes: - wizard_config:/config:ro environment: @@ -80,10 +80,18 @@ services: networks: - app-network + wizard_init: + image: busybox:1.36 + restart: "no" + user: "0:0" + volumes: + - wizard_config:/config + command: ["sh", "-c", "chown -R 65532:65532 /config"] + wizard: image: git.hangman-lab.top/nav/abstract-wizard:latest ports: - - "$WIZARD_PORT:8080" + - "127.0.0.1:$WIZARD_PORT:8080" volumes: - wizard_config:/config environment: @@ -91,13 +99,16 @@ services: LISTEN_ADDR: "0.0.0.0:8080" MAX_BACKUPS: "5" CORS_ORIGINS: ${HF_FRONTEND_HOST} + depends_on: + wizard_init: + condition: service_completed_successfully networks: - app-network hf_frontend: image: git.hangman-lab.top/zhi/harborforge-frontend:latest ports: - - "$HF_FRONTEND_PORT:3000" + - "127.0.0.1:$HF_FRONTEND_PORT:3000" environment: FRONTEND_DEV_MODE: ${HF_FRONTEND_DEV_MODE:-0} NODE_ENV: production @@ -112,7 +123,7 @@ services: container_name: harborforge-monitor restart: unless-stopped environment: - HF_MONITER_BACKEND_URL: ${HF_MONITOR_BACKEND_URL:-https://hf.hangman-lab.top} + HF_MONITER_BACKEND_URL: ${HF_MONITOR_BACKEND_URL:-https://hf-api.hangman-lab.top} HF_MONITER_IDENTIFIER: ${HF_MONITOR_IDENTIFIER} HF_MONITER_API_KEY: ${HF_MONITOR_API_KEY} HF_MONITER_REPORT_INTERVAL: "30"